BIO_flush Segmentation Fault Issue
Tomas Mraz
tomas at openssl.org
Fri Sep 30 06:50:15 UTC 2022
The SSL BIO should have the rbio from the SSL object as the next BIO.
If you create the SSL BIO and then BIO_push() the TCP socket BIO into
the SSL BIO, it will work correctly.
Otherwise, you can just fix the next BIO of the SSL BIO by using
BIO_up_ref(socketbio);
BIO_set_next(sslbio, socketbio);
The SSL BIO should always have a next BIO if properly initialized.
Tomas Mraz, OpenSSL
On Thu, 2022-09-29 at 13:02 -0700, Jay Foster wrote:
> I have an application that constructs a chain of BIOs. Sometimes
> this
> chain also includes an SSL BIO. Years ago, I ran into a problem that
> caused BIO_flush() to segfault on the SSL BIO. This turned out to
> happen because the SSL BIO is added using SSL_set_bio() instead of
> BIO_push(). SSL_set_bio() results in the SSL BIO always having a
> NULL
> bio_next value, so BIO_flush then crashes dereferencing this NULL
> pointer when it calls BIO_copy_next_retry() on the SSL BIO (see
> BIO_CTRL_FLUSH in ssl/bio_ssl.c).
>
> This was reported as ticket 2615 years ago.
>
> My question is, how could calling BIO_flush() on a BIO chain with an
> SSL
> BIO ever work? Is there a way to add the SSL BIO using BIO_push()
> instead of SSL_set_bio()?
>
> Jay
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list